Light bulb We updated the website and resources for you. Send Feedback

OPTIONS / RTSP/1.0″ – Apache Access Log Entry

Published 25 Oct, 2023 Modified 25 Oct, 2023 Read in 1m 53s Viewed 1.553K times

Analysing OPTIONS /RTSP/1.0 in Apache access log file.

Experience Based

We detected a log entry in our Apache Access logs. Updated.

We detected a log entry in our Apache Access logs.

2a06:4880:1000::20 – – [25/Oct/2023:00:10:14 +0000] “OPTIONS / RTSP/1.0” 400 491 “-” “-“

This log entry indicates that a request was made using the OPTIONS method and the RTSP/1.0 protocol.

Here’s a breakdown:

  • 2a06:4880:1000::20: This is an IPv6 address of the client that made the request.
  • [25/Oct/2023:00:10:14 +0000]: Timestamp of when the request was received.
  • “OPTIONS / RTSP/1.0”: This indicates a request using the OPTIONS method for the root (/) of your server using the RTSP/1.0 protocol.
  • 400: HTTP status code returned by your server. A 400 status code means “Bad Request,” indicating that there was something wrong with the request sent by the client.
  • 491: Size of the response in bytes.
  • “-” “- “: Placeholders for the referrer and user agent, respectively. Both are absent in this request.

What does this mean?

  1. RTSP (Real Time Streaming Protocol): RTSP is a network control protocol used for streaming media services. The fact that there’s an RTSP request on an Apache server (typically serving HTTP/HTTPS requests) is unusual and can be considered suspicious unless you are indeed running a media streaming server.
  2. Potential Scanning Activity: Like the previous log entry, this could be an indication of automated scanning activity. Bots or attackers often probe servers looking for open ports, services, or vulnerabilities they can exploit.
  3. Bad Request: The 400 response indicates that your server recognized the request as malformed or unsupported.

What should you do if this happens to you?

  1. Verify Your Services: Make sure you are aware of all services running on your server. If you’re not intentionally running a streaming server or service that uses RTSP, this log entry is even more suspicious.
  2. Firewall: Ensure you have a firewall in place and only necessary ports are open. Close any ports that you don’t need. For example, if you’re not running a streaming server, there’s no reason for RTSP-related ports (like 554) to be open.
  3. Regular Monitoring: Continuously monitor server logs for unusual or unexpected requests.
  4. Block Suspicious IPs: If you notice a pattern of suspicious requests from specific IP addresses, consider blocking those IPs.
  5. Updates & Patches: Ensure all server software is updated regularly. This includes the OS, server software, and any other utilities or services you are running.